The Bulgarian Supreme
Administrative Court (SAC) repeals a provision of the Data Retention
in the Internet Regulation

With a decision as of December 11, 2008 a five-member panel
of the Supreme Administrative Court (SAC) repealed a provision
of the Bulgarian Regulation # 40 transposing the Data Retention
Directive (2006/24/EC) challenged by AIP.

The Regulation was issued by the State Agency on Information
Technologies and Communication (SAITC) and the Ministry of Interior
(MoI) and promulgated in the State Gazette on January 29, 2008.

AIP challenged the Regulation submitting a complaint to the
SAC on March 19, 2008 arguing that its adoption is in violation
of the Constitution of the Republic of Bulgaria, the European
Convention on Human Rights, and the European Union legislation.
(More about the arguments in the complaint: http://www.aip-bg.org/documents/data_retention_campaign_eng.htm)

In its decision as of December 11, 2008, a five-member panel
of the SAC repealed the decision of the lower instance court
and Art. 5 of the challenged Regulation. Article 5 provides for
a passive access through a computer terminal by the
Ministry of Interior, as well as access without court permission
by security services and other law enforcement bodies, to all
retained data by Internet and mobile communication providers.

The court ruled that the provision did not set any limitations
with regard to the data access by a computer terminal and does
not provide for any guarantees for the protection of the right
to privacy stipulated by Art. 32, Para. 1 of the Bulgarian Constitution.
No mechanism was established for the respect of the constitutionally
granted right of protection against unlawful interference in
his private or family affairs and against encroachments on his
honor, dignity and reputation.

The court also found that the text of the Art. 5 of the Regulation,
providing that the investigative bodies, prosecutors office
and the court shall be granted access to retained data for
the needs of the criminal process, the security services
 for the needs of the national security, does
not provide limits against violations of constitutionally granted
rights of the citizens. Reference to specialized laws 
such as Penal Procedure Code, Special Surveillance Means Act,
Personal Data Protection Act, which specify conditions under
which access to personal data shall be granted, was not provided
either.

Furthermore, according to the court, Art. 5 of the Regulation
contradicts the provision of Art. 8 of the European Convention
on Human Rights, according to which everybody has the right to
respect for his private and family life, his home and his correspondence
and the interference of the state in such matters is unacceptable.
The exemptions from that principle are exhaustively listed by
Art. 8, Para. 2 of the Convention requiring that they are: in
accordance with the law and necessary in a democratic society
in the interests of national security, public safety or the economic
well-being of the country, for the prevention of disorder or
crime, for the protection of health or morals, or for the protection
of the rights and freedoms of others.

The court emphasizes that national legal norms shall comply
with that established principle and shall introduce comprehensible
and well formulated grounds for both access to the personal data
of citizens and the procedures for their retention. Article 5
of the Regulation lacks clarity in terms of protection of the
right of private and family life which contradicts the provision
of Art. 8 of the ECHR, the texts of the Directive 2006/24/EC,
and Art. 32 and 34 of the Bulgarian Constitution.

AIP will stay alert and try to prevent the adoption of any
texts that might violate constitutionally granted rights of Bulgarian
citizens.